Alcor UFD Controller Hacking update 2

In these days between some exercises for a microeconomics exam , i’ve continued to work on reverse engineering the Alcor 698x UFD microcontroller, and i’ve got another poor quality Alcor based flash drive from a friend , so now i’ve an 8 GB one , and a 4 GB one.

I’ve started , with the help of wireshark , usbmon and a virtual machine running windows with USB forwarding by SPICE , reverse engineering the format of the various vendor specific commands that are sent to the flash drive.

But while working on it i’ve encountered a serious problem , the Linux kernel scsi implementation removes the 3 MSBs from the 2nd byte of the SCSI commands , which in our case , breaks various commands , for example , 0x51 directed at LUN 0 , would become 0x11.

The interesting commands now are two: 0x82 and 0x81 , they are used to download and upload configurations to the flash drive.

02: This byte is a checksum of the all bytes before it , if you set it incorrectly , the flash drive will refuse to use the settings, to calculate it , sum all bytes values ( unsigned ) , and then do &0xFF to use only the first eight bits.